Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sebas865
Staff
Staff

Created on ‎11-13-2024 09:39 AM Edited on ‎11-15-2024 12:54 PM By Staff

Article Id 357295

Technical Tip: Blocking .BAK File Extensions Using a DLP Profile

Description This article describes how to configure a DLP rule to block .BAK file extensions.
Scope FortiGate v7.2.x and FortiGate v7.4.x.
Solution

Follow these steps to block .BAK files using a DLP profile.

 

Configuration via CLI:

 

Open the FortiGate CLI console. See this article.

 

Create a DLP filepattern. DLP file patterns match selected file types and filename patterns. Since '.bak' files can have many possible true file types, it is necessary to block based on the name of the file.

Ensure there are no other file pattern rules with the number 10. If one exists, use a different number.

 

config dlp filepattern

edit 10

set name "bak"

config entries

edit "*.bak"

next

end

next

end


Filenames will be checked against the name of the filepattern entry '*.bak'.

Create a DLP profile:

 

conf dlp profile

edit "DLP_BAK"

config rule

edit 1

set proto http-get http-post

set file-type 10

set action block

next

end

next

end


The dlp profile above scans HTTP/HTTPS GET and POST requests. If required, additional file transfer protocols can be scanned. To scan encrypted SMB traffic, cifs must be included as 'proto' and a matching CIFS credential configured, see 'Administration Guide: CIFS support'.

 

conf dlp profile

edit "DLP_BAK"

config rule

edit 1

append proto ?

smtp SMTP.
pop3 POP3.
imap IMAP.
http-get HTTP GET.
http-post HTTP POST.
ftp FTP.
nntp NNTP.
cifs CIFS.

Create a firewall policy with proxy inspection, enable the DLP profile, and configure deep inspection within the SSL profile.

Ensure the firewall policy is configured according to the network topology.

 

config firewall policy

edit 100

set name "DLP_policy"
set srcintf "port2"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set dlp-profile "DLP_BAK"
set nat enable

next

end

 

After applying this configuration, .BAK files can be blocked by the DLP profile.


To view Data Loss Prevention profiles in GUI, enable 'Data Loss Prevention' in System > Feature Visibility.

 

Enable DLP GUI.PNG


After enabling, DLP Profiles can be reviewed in GUI.

 

DLP Profiles GUI.PNG

 

The page is also visible by appending '/utm/dlp' to the URL or IP address used to access FortiGate i.e: 'https://x.x.x.x/utm/dlp'.


Related article:
Configure Data Leak/Loss Prevention (DLP) - Fortinet Community

 

277
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.